i 

1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 



S/N 09/886,146 



Response to Office Action Dated 12/10/2004 



MODIFICATIONS TO CLAIM STATUS 

In complete response to the Examiner's Requirement for Restriction, dated 
12/10/2004, the AppUcant hereby elects Group I including claims 1 — 35 and 38 — 61, 
without traverse . 

In accordance with the PTO's revised Response format, a detailed hsting of all 
claims has been provided. This listing of claims will replace all prior versions, and 
listings, of claims in the application. 

By way of overview, claims 1 — 61 are currently pending. Of these pending 

claims: 

A) Claims 1 — 61 remain in their original form; and 

B) Claims 36 and 37 are currently withdrawn. 

Listing of Claims 

1. (Original.) A method comprising: 

identifying a target service to which access is sought on behalf of a client; 

causing a server operatively coupled to the client to request access to the 
target service on behalf of the client, from a trusted third-party, wherein the server 
provides the trusted third-party with a credential authenticating the server, 
information about the target service, and a service credential previously provided 
by the client to the server. 

2. (Original.) The method as recited in Claim 1, wherein the trusted 
third-party includes at least one service selected from a group of services 



LEE & HAYES, PLLC 



2 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 



S/N 09/886,146 



Response to Office Action Dated 12/10/2004 



comprising a key distribution center (KDC) service, a certificate granting authority 
service, and a domain controller service. 

3. (Original.) The method as recited in Claim 2, wherein the trusted 
third-party provides the server v^ith a nev^ service credential granted in the name 
of the client rather than the server. 

4. (Original.) The method as recited in Claim 3, wherein the new 
service credential is configured for use by the server and the target service to 
which access is sought. 

5. (Original.) The method as recited in Claim 3, wherein the credential 
authenticating the server is a ticket that includes a ticket granting ticket associated 
with the server. 

6. (Original.) The method as recited in Claim 1, further comprising: 
causing the trusted third-party to verify that the client has authorized 

delegation. 

7. (Original.) The method as recited in Claim 6, wherein: 

the trusted third-party includes a key distribution center (KDC); and 
causing the trusted third-party to verify that the client has authorized 

delegation includes verifying the status of a restriction placed on the ticket 

originating from the client. 
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8. (Original.) The method as recited in Claim 1, further comprising: 
causing the trusted-third-party to selectively determine if the client is 

allowed to participate in delegation either based on information selected from a 
group comprising an identity of the client, a group affiliation associated with the 
client. 

9. (Original.) The method as recited in Claim 1, wherein the server is a 
front-end server with respect to a back-end server that is coupled to the front-end 
server, and wherein the back-end server is configured to provide the target service 
to which access is sought. 

10. (Original.) The method as recited in Claim 1, wherein: 
the trusted third-party includes a key distribution center (KDC); 

^ the KDC provides a ticket-granting-ticket associated with the client to the 
client; and 

the client does not provide the ticket granting ticket to the server. 

11. (Original.) The method as recited in Claim 1, wherein: 

the trusted third-party includes a key distribution center (KDC); and 
the server requests the new credential in a ticket granting service request 
message that includes a service ticket provided by the client to the server. 

12. (Original.) A method comprising: 
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identifying a target service to which access is sought on behalf of a chent; 

and 

causing a server operatively coupled to the client to request access to the 
target service on behalf of the client, from a trusted third party, wherein the server 
provides the trusted third party with a service credential authenticating the server, 
information about the target service, and a service credential previously provided 
by the client for the service, and wherein the client ticket includes implementation- 
specific identity information. 

13. (Original.) The method as recited in Claim 12, wherein the 
implementation-specific identity information includes information selected from a 
group comprising privilege attribute certificate (PAC) information, security 
identifier information, Unix identifier information, Passport identifier information, 
certificate information. 

14. (Original.) The method as recited in Claim 13, wherein the PAC 
information includes compound identity information. 

15. (Original.) The method as recited in Claim 13, wherein the PAC 
information includes access control restrictions for use as delegation constraints. 

16. (Original.) A computer-readable medium having computer- 
executable instructions for performing tasks comprising: 
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in a server, determining a target service to which access is sought on behalf 
of a client coupled to the server; 

requesting a new service credential from a trusted third-party by providing 
the trusted third-party with a credential authenticating the server, information 
about the target service, and a service credential associated with the client and the 
requesting server. 

17. (Original.) The computer-readable medium as recited in Claim 16, 
wherein the trusted third-party includes at least one service selected from a group 
of services comprising a key distribution center (KDC) service, a certificate 
granting authority service, and a domain controller service. 

18. (Original.) The computer-readable medium as recited in Claim 17, 
wherein the new service credential is granted in the name of the client rather than 
the server. 

19. (Original.) The computer-readable medium as recited in Claim 18, 
wherein the service credential is configured for use by the server and the target 
service. 

20. (Original.) The computer-readable medium as recited in Claim 18, 
wherein the credential authenticating the server includes a ticket granting ticket 
associated with the server. 
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21. (Original.) The computer-readable medium as recited in Claim 16, 
further comprising: 

causing the trusted third-party to verify that the client has authorized 
delegation. 

22. (Original.) The computer-readable medium as recited in Claim 21, 
wherein: 

the trusted third-party includes a key distribution center (KDC); and 
causing the trusted third-party to verify that the client has authorized 

delegation includes verifying the status of a forwardable flag value as set by the 

client.. 

23. (Original.) The computer-readable medium as recited in Claim 16, 
wherein the server is a front-end server with respect to a back-end server coupled 
to the front-end server, and wherein the back-end server is configured to provide 
the target service. 

24. (Original.) The computer-readable medium as recited in Claim 16, 
wherein: 

the trusted third-party includes a key distribution center (KDC); 
the KDC provides a ticket-granting-ticket associated with the client to the 
client; and 

the client does not provide the ticket granting ticket to the server. 
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25. (Original.) The computer-readable medium as recited in Claim 16, 
wherein: 

the trusted third-party includes a key distribution center (KDC); and 

the requesting server requests the new service credential in a ticket granting 

service request message that includes a service ticket provided by the client to the 

server. 

26. (Original.) A system comprising: 

a credential granting mechanism configured to receive a request for a new 
service credential from a server and in response generate the new service 
credential if delegation is allowable, and wherein the request includes: 

a credential authenticating the requesting server, 

identifying information about a target service to which access is sought on 
behalf of a client coupled to the server, and 

a service credential that was previously granted to the client for use with the 

seryer. 

27. (Original.) The system as recited in Claim 26, wherein the 
credential granting mechanism is provided by a trusted third party and includes at 
least one service selected from a group of services comprising a key distribution 
center (KDC) service, a certificate granting authority service, and a domain 
controller service. 
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28. (Original.) The system as recited in Claim 27, wherein the new 
service credential is granted in the name of the client rather than the server. 

29. (Original.) The system as recited in Claim 28, wherein the service 
credential is configured for use by the server and the target service. 

30. (Original.) The system as recited in Claim 28, wherein the 
credential authenticating the server includes a ticket granting ticket associated with 
the server, and which was previously granted by the credential granting 
mechanism. 

31. (Original.) A system comprising: 

a server configured to generate a request for a new service credential from a 
trusted third-party, the new service credential being associated with a client and a 
target service, the request comprising: 

a credential authenticating the server, 

information about the target service, and 

a service credential associated with the client and the server. 

32. (Original.) The system as recited in Claim 31, wherein the trusted 
third-party includes at least one service selected fi'om a group of services 
comprising a key distribution center (KDC) service, a certificate granting authority 
service, and a domain controller service. 
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33. (Original.) The system as recited in Claim 31, wherein the 
credential authenticating the server includes a ticket granting ticket associated with 
the server. 

34. (Original.) The system as recited in Claim 31, wherein the server is 
a front-end server with respect to the service. 

35. (Original.) The system as recited in Claim 31, wherein the server 
requests the new service credential in a ticket granting service request message 
that includes the service ticket associated with the client and the server. 

36. (Withdrawn.) A computer-readable medium having stored thereon a 
data structure, comprising: 

a credential authenticating a first server, 

information identifying a second server, and 

a service credential associated with a client and the first server. 

37. (Withdrawn.) The computer-readable medium as recited in Claim 
36, wherein the credential authenticating the first server includes a ticket-granting- 
ticket (TGT) and the service credential includes a service ticket. 

38. (Original.) A method comprising: 
separately authenticating a server and a client; 
providing the server with a server ticket granting ticket; 
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providing the client with a client ticket granting ticket and a service ticket 
for use v^ith the server; 

providing the server v^ith a new service ticket for use by the server for use 
with a new service without requiring the server to have access to the client ticket 
granting ticket. 

39. (Original.) The method as recited in Claim 38, further comprising: 
causing the server to request the new service ticket on behalf of the client 

by forwarding the server ticket granting ticket, information identifying the new 
service, and the service ticket to a trusted third party. 

40. (Original.) A method comprising: 

identifying a target service to which access is sought on behalf of a client 
that has been authenticated using a first authentication method; 

causing a server that is operatively coupled to the target service and the 
client to request a service credential to itself from a second authentication method 
trusted third-party by identifying the client and the first authentication protocol; 
and 

causing the server to request a new service credential , for use by the server 
and the target service, from the second authentication method trusted third-party, 
wherein the server provides the trusted third-party with a credential authenticating 
the server, information about the target service, and the service credential to itself. 
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41. (Original.) The method as recited in Claim 40, wherein the second 
authentication method trusted third-party includes at least one service selected 
from a group of services comprising a key distribution center (KDC) service, a 
certificate granting authority service, and a domain controller service. 

42. (Original.) The method as recited in Claim 41, v^herein the new 
service credential is granted in an identity of the client rather than an identity of 
the server. 

43. (Original.) The method as recited in Claim 42, wherein the service 
credential is configured for use by the server and the target service to which access 
is sought. 

44. (Original.) The method as recited in Claim 42, wherein the 
credential authenticating the server includes a ticket granting ticket associated with 
the server. 

45. (Original.) The method as recited in Claim 40, further comprising: 
upon receiving a request for the new service credential from the server, 

causing the second authentication method trusted third-party to verify that the 
client has authorized delegation. 
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46. (Original.) The method as recited in Claim 40, wherein the server is 
a front-end server v^ith respect to a back-end server that is coupled to the front-end 
server, and wherein the back-end server is configured to provide the target service. 

47. (Original.) The method as recited in Claim 40, wherein the first 
authentication method is selected from a group of authentication methods 
comprising Passport, SSL, NTLM, and Digest. 

48. (Original.) The method as recited in Claim 40, wherein the second 
authentication method includes a Kerberos authentication protocol. 

49. (Original.) A computer-readable medium having computer- 
executable instructions for performing tasks comprising: 

identifying a target service to which access is sought on behalf of a client 
that has been authenticated using a first authentication method; 

causing a server that is operatively coupled to the target service and the 
client to request a service ticket to itself from a second authentication method 
trusted third-party by identifying the client and the first authentication protocol; 
and 

causing the server to request a new service ticket, for use by the server and 
the identified service, from the second authentication method trusted third-party, 
wherein the server provides the tmsted third-party with a ticket authenticating the 
server, information about the target service, and the service ticket to itself. 
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50. (Original.) The computer-readable medium as recited in Claim 49, 
wherein the second authentication method trusted third-party includes a key 
distribution center (KDC). 

51. (Original.) The computer-readable medium as recited in Claim 50, 
wherein the new service ticket includes a service ticket granted in an identity of 
the client rather than an identity of the server. 

52. (Original.) The computer-readable medium as recited in Claim 51, 
wherein the service ticket is configured for use by the server and the target service. 

53. (Original.) The computer-readable medium as recited in Claim 51, 
wherein the ticket authenticating the server includes a ticket granting ticket 
associated with the server. 

54. (Original.) The computer-readable medium as recited in Claim 49, 
further comprising: 

upon receiving a request for the new service ticket from the server, causing 
the second authentication method tmsted third-party to verify that the client has 
authorized delegation. 

55. (Original.) The computer-readable medium as recited in Claim 49, 
wherein the server is a front-end server with respect to a back-end server that is 
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coupled to the front-end server, and wherein the back-end server is configured to 
provide the target service. 

56. (Original.) The computer-readable medium as recited in Claim 49, 
wherein the first authentication method is selected from a group of authentication 
methods comprising Passport, SSL, NTLM, and Digest. 

57. (Original.) The computer-readable medium as recited in Claim 49, 
wherein the second authentication method includes a Kerberos authentication 
protocol. 

58. (Original.) A system comprising: 
a server configurable to: 

identify a target service to which access is sought on behalf of a 
client that has been authenticated using a first authentication method, 

request a service credential to itself from a second authentication 
method trusted third-party by identifying the client and the first 
authentication method, and 

subsequently request a new service credential, for use by the server 
and the target service, from the second authentication method trusted third- 
party, 

wherein the server provides the second authentication method 
tmsted third-party with a credential authenticating the server, information about 
the target service, and the service credential to itself. 
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59. (Original.) The system as recited in Claim 58, wherein the new 
service credential is granted in an identity of the client rather than the server. 

60. (Original.) The system as recited in Claim 59, wherein the new 
service credential is configured for use by the server and the target service. 

61. (Original.) The system as recited in Claim 59, wherein the 
credential authenticating the server includes a ticket granting ticket associated with 
the server. 
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